Here stands a conduit containing a veritable mishmash of varied topics and thoughts dedicated to the raw musings that somehow manage to pop into the heads of two Random Plebeians in American society...One's abroad. One's not. Both try to avoid getting angry and cynical.

06 May 2013

Internet Filtering Series -- Part VI (Dedicated Filtering)

The final lab in this series is a rather interesting one. Many larger entities such as multi-national corporations, research universities, government contractors, and even arms of state and national governments often aim for having a series of dedicated hardware meant to increase network security.

In this case, the equipment is often purchased from a major security vendor (e.g. Sophos, Barracuda, Cisco) and mounted in racks or cabinets in the network operations centre (NOC) or primary data centres of these entities. Commonly, the equipment includes Web monitoring/filtering, email & anti-spam appliances, firewalls, secured gateways, intrusion detection and prevention (IDS/IPS) capabilities, and centralised management that can integrate with an entity's network (such as with Windows Active Directory domains).

Also on a personal note, I've been involved with designing and implementing such a solution, it's rather fitting that I take a good look from multiple standpoints. Thus the lab contains an amalgam of several things I've actually either seen or had to address in the field. It was also partially done using physical equipment and partially via VMware.

Typical Real-World Scenarios Addressed:

Agencies of a national government or military (e.g. to comply with FISMA in the United States)

A multi-national corporation

Businesses and organisations that deal with highly-sensitive data (e.g. that which concerns financial, health, or national-security information that can be highly-damaging if leaked)

A major state/provincial research university

A major Internet Service Provider (ISP)

Specific Scenario Details:

You are Lloyd (or, if you're a woman, Luann) User, and you have been working for the government for about six months. Specifically, you are an agent for the Department of Redundancy Department. The department's headquarters are just outside of Washington, DC. Though you've heard of the notoriously-strict technology policies when you were hired, you didn't pay much heed to it as you figured you'd just work anyways. One day at lunch, you decide to try to upload some pictures from the football party you had last weekend to Facebook, but find that you can neither access Facebook in the browser, nor even access your "thumb drive."

Curiosity gets the better of you, and while you consider yourself more-knowledgeable than the "average PC user," you're far from being a "hacker." So, you decide to experiment and see if there's a way you could quietly go about your, ahem, business without being too brash about it...

Pinholes exist to provide access to internal resource such as the local intranet and network resources.

Notes/Assumptions:

It's your workstation, so you obviously have physical access

You manage to pop into the computer's BIOS and find everything locked. So, you can rule out any sort of approach that employs booting to an alternate operating system.

Your department was deemed to not require flash drives as you have extensive space on the network shares, and you also have limited access to your workstation whilst "on the road" by way of a company-issued laptop that is locked down at least as much as your "regular" workstation

Agency forbids bring-your-own-device (BYOD), so that option is out

Within Windows, you don't have access to USB or optical devices (there is no floppy or tape drive) due to "software restrictions"

The cause of the arguably-draconian policies involved low productivity by office staff coupled with three major incidents involving confidential and/or classified material held and accessed by the department that happened not long before you started. Software restrictions were placed to deter the more "cunning" users from trying to get around the web appliances

The department's IT and HR personnel have numerous ways to tell if you're trying to circumvent the filtering--and the related restriction policies

Your supervisor does have more access to content, and passes it to you on a "need-to-know" basis

Assume you do not have the resources, time, etc. to thoroughly conduct a social-engineering campaign against some of the more "weaker" staff in the IT department, and therefore cannot rely on that method

Goals of This Lab:

You are to attempt to bypass the web-filtering appliance, and do so in such a way so as to not draw any more attention to yourself than necessary.

Using a portable device with a mobile carrier despite the prohibition (e.g. a smartphone, or iPad with mobile hotspot--to quiet it down, SSID broadcasts would need to be stopped; the downside is that the device may be unable to connect to the "unfettered" connection)

Attempting to "space out" circumvention attempts in the hopes that they might be overlooked with "regular" traffic coming in and out--a sort of "camouflage" (in other words not stand out too much should somebody decide to sniff through the device logs

Software downloaded and executed:

Teamviewer: Got it to download and run but not install

WinRAR did download, but was caught by the Sophos appliance and scanned first. It also required admin credentials--so this was a successful download, but failed execution

Methods used to circumvent:

X11 Forward. Using an Oracle Solaris 11.1 box under my control and configured for X11 forwarding over SSH, I was able to use a portable version of MobiXTerm after managing to shut down the firewall via services.msc.

Like the previous labs, this resulted in access of all 12 sites, and somehow didn't register on the Sophos UTM logs (but it is possible that it would--and that my attempt was merely a stroke of luck in this regard, so one would have to be VERY careful with this method)

TeamViewer. This was installed on the workstations for legitimate usage. However, I found that I could connect to a separate Windows box outside the filter with a separate install of TeamViewer and access the sites

HOWEVER, this was "caught" (see below)

Methods attempted, but unsuccessful:

Proxy sites. This method only works with new proxy sites that literally came out in the last 24 hours. Like the previous lab, I set up another test circumventor site on another PC and got through. The filtering companies though are often great at weeding them out by IPv4 address rather quickly. I put this in unsuccessful because it's a temporary circumvention that may last for merely a couple of hours--and would force a user to come up with a newly-undiscovered proxy on the fly. I did try "Hide my ASS" and that was blocked

Any sort of removable media. Couldn't open it

PuTTY Method. PuTTY would not connect to an outside SSH server running on port 4222. A view at the appliance logs shows that it dropped the connection AND registered the attempt

Tor. I managed to smuggle it aboard by copying it onto my private FTP domain, and then using the included WinSCP software to connect and download it to the workstation. By running it from the desktop, Vidalia was able to start, but in four attempts, it stalled at "Establishing an encrypted directory connection" and thus didn't work even after letting it sit for 10 minutes.

Circumventor site. For some reason (perhaps sheer luck), I couldn't use my "circumventor" site as recommended on Peacefire. I suspect that this would work in theory as a "one-trick-pony" but would be quickly discovered and blocked on the appliance.

Methods Not Tried (involves hacking):

Anything that would involve gaining administrative access over the domain (or even merely the Web appliance).

One method that could conceivably be employed would involve the usage of multiple PwnPlugs (available from the good folks at Pwnie Express for anywhere between $200-$600 per unit--the higher-end ones are 3G capable and even more stealthy; that would require a separate 3G data plan from a GSM-based mobile carrier such as AT&T)

Attempting to quietly remove the hard drive, mount it at home with a USB to SATA & IDE cable, and put the "illicit" software on it. This might fail for numerous reasons

Attempting to swap out the hard drive with a near-identical one with Linux, BSD, UNIX, etc. installed instead of Windows. On the upside, this would bypass the software restrictions and enable the transfer/running of software. On the downside, this would be discovered rather quickly as a simple casual analysis would show a non-Windows workstation floating around--tracking down the IP and MAC address could rather easily lead back to you.

Recommendations to Help Avoid Successful Circumvention of Dedicated Appliances:

Set a reasonable filtering policy, and consider allowing "relaxed" access to social networks, sports, and the like during lunch periods and after normal business hours or shift-changes (shift-change relaxation could be done, for example, by providing a relaxed PC in the break room with a note saying to make sure an employe clocks out before logging on).

The stricter the policy, the more people are going to be driven to try and find ways around it, which in turn may pose even more problems, and not just in terms of morale

Do note that "relaxed" access may not necessarily be an option, particularly in office settings when people can vary on when they take breaks and lunches.

Rethink the policies that govern control of what programs go on the computer. Some vendors offer additional products or services that can enhance the web filtering by scanning USB drives.

It's also possible to get someone in the IT department to write policies or scripts that will prohibit non-administrators from running install programs and "portable" apps, or make the case for using technology like AppLocker.

Watch what apps that allow for remote access are installed, and if possible, restrict who has access to those apps, and who can run them.

The circumvention method involving the Tor browser bundle was blocked by a combination of application control and firewall policies.

Firewall policies might not be enough, as a savvy user could simply attempt to change the ports--or let the folks at Tor know that ports 9050 and 9051 are commonly used by Tor products and are likely to be blocked.

Group Policy settings to enforce restrictions on common tools such as Regedit and cmd, and only allow applications meeting certain criteria to execute are probably a wise idea. For example, a failure to draw a command prompt or PowerShell without domain admin or server-operator credentials limits options for crackers and may force their hand in terms of their attempts to gain access. However, the downsides to this scenario are:

it is likely overkill as the Sophos UTM could block most "evil" programs that require access to the outside to function; and

it can unintentionally hamper legitimate applications and services in their execution.

Remember that no method is foolproof, and that anyone with sufficient resources and time WILL figure out ways to get in and circumvent the filtering. In this case, Lloyd figured out that he could use a portable copy of MobiXTerm at work to gain access to a Linux PC at home and do his surfing from there--particularly given that Teamviewer is being logged.

He could also risk it with Teamviewer and pray that his connections are judged to be innocuous enough to not be caught

However, IT may catch on and watch WHERE the Teamviewer and/or SSH connections are coming and going

End Notes:

While I do overcome the Sophos UTM in this lab, I do wish to stress that it's not a failing of the system itself but rather of the policies that the administrator used; stronger policies did in fact stop the successful methods dead in their tracks.

Thus I still recommend it as the price is right and in many cases, the mods that need to be done to an old PC would be to ensure ample memory and hard-disk space as well as an additional network card

The logging features also mean that both of these attempts aren't long-term solutions--the longer and "heavier" people use them, the more likely the people employing these techniques are going to be busted

Many companies use top-of-the-line equipment that provides a lot more features--and usually has a competent systems admin versed in security at its helm

This point also differentiates this lab from the previous three--the other three required the "attacker" to work around the technology whereas this one was much more of an attack against policies and possible misconfigurations.